A bug report from 2006 leads with Ubuntu 21.04 »Hirsute Hippo« to a change in the guidelines regarding the rights of the home directory. So far, home directories have been given file rights 755 during installation. This means that in addition to the user, the rest of the world can read and execute files.
Absurd reason
The slightly absurd reason for this at the time was that most multi-user systems had a “certain level of cooperation, if not trust”. These systems would often be used in family and work settings and should not be overly restrictive in this regard. In the discussion of the bug on Launchpad, Colin Watson, who was then part of the installer team, was inaccessible to reasons of reason and alternative suggestions.
Design over safety
He rejected the suggestion of a shared folder on the desktop that was accessible to all users as an alternative on the grounds that this would cause unrest on the desktop and that a tidy desktop was ultimately an explicit design decision for Ubuntu. The suggestion to simply query the desired rights for the home in the installer was also rejected.
In environments where sharing the content of the home directories is not desired, there are usually knowledgeable administrators who would adjust the rights accordingly. Mark Shuttleworth personally declined to change the status quo . In another statement on this bug, he wrote:
The majority of users of Ubuntu systems either have exclusive use of the machine (personal laptop) or are sharing with friends and relatives. We assume that the people who share the machine are either trusted, or in a position to hack the machine (boot from USB!) Trivially. As a result, there is little to no benefit from the permissions you propose … Ergo, we stick with the permission as they stand today.
Mark Shuttleworth
The discussion has continued for the entire 15 years since the bug report was created and is now contributing to a change in the guideline. As Ubuntu’s Security Tech Lead Alex Murray wrote back in November , times have changed and security vs. convenience is rated differently than it was in 2006 with the increasing use of servers and public clouds.
Better late than never
He therefore suggested /etc/adduser.conf
adapting the file and delivering the home with 750 instead of 755 rights in the future. This leaves the owner with all rights, the group retains the rights to read and execute, and the rest of the world is left with nothing. Since there were no objections, he implemented the change. This only affects new installations and therefore leaves out older releases and upgrades to Ubuntu 21.04.
0 Comments